COPPA Rules Compliance
Websites that are targeted towards children under the age of 13 or that knowingly collect information from children under the age of 13 must comply with the Federal Trade Commission (FTC) COPPA rules (technically, the “COPPA Rule”). I have posted a few prior articles explaining the basics behind COPPA compliance and the 2013 COPPA changes that affected the data collection practices of many website operators .
As a refresher, here are several steps website operators should follow to ensure they are following the basic COPPA rules established in the beginning.
1. Post a complete and easy-to-understand privacy policy that is conspicuously located and must be distinguishable from other links (ex: a “fine print” type link attached at the bottom of a website that the user may or may not stumble upon will not be in compliance with the guidelines). It is imperative the privacy policy in detail describes all methods of data collection by the website’s host AND any other entities collecting data from the site. All those involved in collecting data through the website need to be listed by name and at least one needs to provide contact information as well. How information from children is collected, what kinds of information is collected, how it is utilized, to whom it is disclosed, and how third parties use the data must be disclosed. Parental rights must be listed and an acknowledgement to parents that only information that is (reasonably) necessary is being collected, that they can view all information collected and can have it deleted or allow for no further information gathered, can block third parties from the information while still allowing for the main operator of the site to use it, and the methods for exercising these rights.
2. Provide a “direct notice” to parents before collecting information from kids and if any changes to previous practices are made they need to be updated through “direct notice”. The notice needs to be clear and without unrelated information. In addition, it needs to include that the parent’s contact information was gathered for receiving their consent and is required for any collection, use, and disclosure of information you wish to obtain from their child.
3. Obtain parental consent before you collect personally identifiable information (PII) from children under 13. The direct notice sent to parents needs to list how parents can give their consent which can be given by way of a signed consent form sent in physically or through electronic scan, calling a staff member via phone or video, providing a government issued ID (identification records must be deleted once verification has been completed), or notification of each transaction by way of credit card, debit car, or other online payment system. Parents need to be aware if they do not consent in a “reasonable” amount of time their info will be deleted. If information is only being collected internally and is not disclosed elsewhere, an email followed with a confirmation notice will suffice, but parents or guardians must be notified they can retract their consent at any time. Make sure parents are also aware they can block third party access to any information. There are exceptions to the general rule requiring parental consent before collecting personal information from children, but notice requirements may still exist despite any applicable exceptions.
4. Recognize a parent’s rights to the information being gathered of their child. If parents ask, you need to be able to provide them with a list of all information gathered, a way to revoke consent and to stop any further use or collection of their child’s data, and a way to delete all their child’s information. Make sure all communication and information shared with parents is clear and concise to minimize any chance of confusion.
5. Use reasonable data security protection measures to uphold confidentiality and the security of the child’s information. To do this, minimize information gathered and have a protocol for the release of information to service providers and other third parties. Make sure these parties hold themselves to similar standards as your own. Ensure these parties only hold on to the information for periods of time necessary for their tasks and that they use it only for the objective it was collected. Finally, once all information has served its purpose, it must be quickly and safely disposed of by the website operators
Updated COPPA Personally Identifiable Information (PII)
What has changed since the COPPA rules were enacted? Well, technology has come a long way, of course, especially in terms of data collection. Thus, effective July 1, 2013, the FTC updated the COPPA Rules to ensure PII was up to speed with current technology. Among key additions back then were “persistent identifiers” (cookies, IP addresses, etc) that track users for extended durations of time and and over different sites and geolocation information.
Here is an updated checklist of the PII that must be disclosed under COPPA rules for 2017:
-First and last name ;
-Physical address, including street name, city or town;
-Online contact information;
–Screen or user name that functions as online contact information (under the amended COPPA rules, a screen or user name is personal information where it functions in the same manner as online contact information, which includes not only an email address, but any other “substantially similar identifier that permits direct contact with a person online.”);
-Telephone number;
-Social security number;
–Persistent identifier that can be used to recognize a user over time and across different websites, devices or online services;
-Photograph, video, or audio file where such file contains a child’s image or voice;
-Geolocation information sufficient to identify street name and name of a city or town; or
-Information concerning the child or the parents of that child that website operators collect online from the child and combines with an identifier described above.
2017 Updated FTC COPPA Guidance
The FTC has recently updated its COPPA Compliance Plan in June to provide guidance to businesses in an effort to reflect changes in technology. First, the definition of “websites or online services” was expanded to include connected toys and “other Internet of Things” devices. This now includes toys and devices that collect PII from children, such as voice recordings or geolocation data. Updated guidance may have come in response to the letter sent to the FTC in May by Senator Mark Warner of Virginia urging increased protections under COPPA. Senator Warner’s letter was sent after several recent high-profile instances of children’s personal data being hacked through the proliferation of apps and Internet-connected smart toys.
Second, two new methods for obtaining parental consent prior to collecting PII from children was also announced by the FTC. This updated guidance provides that parental consent may be obtained either by: (a) asking parents a series of knowledge-based authentication questions; or (b) requesting a copy of a parent’s driver’s license and matching that photo to a second photo provided by the parent using facial recognition technology. These new methods are in addition to the already acceptable methods of obtaining parental consent including consent forms, calling a toll-free number that is answered by trained personnel or by video conference.
COPPA Rules Compliance Trends
In 2017, there are a few primary trends websites that collect information from children should understand to stay COPPA compliant. These website operators should revisit their data collection and security practices in light of these recent trends and evolutions to ensure updated COPPA rules compliance.
1. Data Security is Key. The touchstone of the FTC’s approach to data security is a standard of “reasonableness”: that a company’s data security measures must be reasonable in light of the “sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.” (FTC: Beyond Cookies: “Privacy Lessons for Online Advertising”. January 21st, 2015). The FTC’s Fair Information Practices also requires that a mechanism for notification of data breaches is in place. As an example of the importance of this measure, the FTC alleged TRENDnet, which is a company that sells in-home cameras for baby monitoring, left itself vulnerable to hackers resulting in hundreds of homes cameras being live-streamed on the internet.
2. Identify New Data Collection Practices. Since 2013, some methods of collecting data have become much more common. For example, collecting information from children across multiple devices (by using a corresponding app for example) and compiling aggregate use information which is then linked to a single user profile (including a unique device ID) should be disclosed. Similarly, website operators should disclose all subsets of tracking information, not just a single use, and should be precise and complete with information/data use disclosure. The increasingly common practice of “history sniffing”, where use history across the Internet is tracked, serves as an example.
Remember, website operators should always be truthful and honest in notifying parents to how they collect information from their child. If your site does send child information to third parties, make sure that parents know this and that the third parties are trustworthy. Anything less goes against the COPPA rules.